Compliance is a Headache for Cloud Adoption

While the hybrid cloud is becoming the preferred choice for organizations who want to move IT to the cloud, actually getting there could prove a headache. Outside of the technical requirements, moving to the cloud and staying compliant with government mandates and guidelines is apparently no easy thing.

In September 2014, the Council of the Inspectors General published its findings of an examination of 77 commercial cloud contracts that federal agencies issued as they transitioned to the cloud. All of them, the council said, lacked the detailed specification recommended in Federal cloud computing guidelines and best practices documentation.

“Additionally,” the report said, “59 cloud systems reviewed did not meet the requirements to become compliant with FedRAMP by June 5, 2014, even though the requirement was announced on Dec. 8, 2011.”

The report concluded, damningly, that none of the 19 participating agencies the council’s review examined had adequate controls in place to manage its cloud service providers and the data that reside within its cloud systems.

Earlier studies had come up with similar findings. In 2013, for example, The Ponemon Institute conducted a survey of more than 4,000 organizations in seven countries and found that just over half of the respondents said they didn’t know exactly what their cloud provider does to protect their data, and only 30 percent said they did. At the same time, respondents still expressed a “marked increase in confidence” about the ability of cloud providers to protect sensitive and confidential data.

FedRAMP (Federal Risk and Authorization Management Program) and FISMA (Federal Information Security Management Act) are the two directives most closely related to cloud adoption by government agencies. OMB set the 2014 deadline for vendor compliance with FedRAMP, which describes a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FISMA compliance, which requires agencies to develop, document and implement information security measures for such things as cloud services, is tested every year.

In the final version of its US Government Cloud Computing Technology Program, issued in September 2014, the National Institute of Standards and Technology (NIST) detailed 10 requirements that needed to be part of any agency cloud initiative, including one that said agencies should ensure that cloud services and products meet unique policy and compliance requirements.

Cloud service consumers “need to be able to precisely specify and receive services,” NIST said.

There are some systemic barriers that stand in the way of cloud initiatives coming into compliance. Even though the OMB has mandated that all cloud systems used by government agencies comply with FedRAMP, for example, the FedRAMP program management office has no authority to enforce compliance at the agency level.

In order to spur better compliance, the Council of Inspectors General has recommended that the OMB:

  • Establish standardized contract clauses that agencies must use when adopting cloud computing technologies;
  • Determine how best to enforce FedRAMP compliance; and
  • Establish a process and reporting mechanism to ensure Federal agencies require cloud providers to meet the FedRAMP authorization requirements in a timely manner.

This is where managed cloud services can provide the greatest value for agency users, said David Weisbrot, federal cloud business manager at QTS, some of whom may not have the technical resources or expertise to meet the very specific compliance requirements. They can be used to continually watch an intrusion detection system, for example, or collect and archive security logs, all things required to meet FISMA Moderate needs.